b'Federal Deposit Insurance Corporation\n3501 Fairfax Drive, Arlington, VA 22226                                                 Office of Inspector General\n\n\nDATE:                                     March 26, 2014\n\nMEMORANDUM TO:                            Martin J. Gruenberg\n                                          Chairman\n\n\n                                          /Signed/\nFROM:                                     Fred W. Gibson, Jr.\n                                          Acting Inspector General\n\nSUBJECT:                                  Reliability of Previously-Issued Audit Reports on the FDIC\xe2\x80\x99s\n                                          Information Security Program\n\n\nIn a memorandum dated May 30, 2013, the Office of Inspector General (OIG) informed you\nthat it had become aware of information related to the FDIC\xe2\x80\x99s information security program\nthat could affect the reliability of two previously-issued audit reports\xe2\x80\x94Independent Evaluation\nof the FDIC\xe2\x80\x99s Information Security Program\xe2\x80\x942011 (Report No. AUD-12-002, dated\nOctober 31, 2011) and Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program\xe2\x80\x94\n2012 (Report No. AUD-13-003, dated November 5, 2012). These reports were not made\navailable to the public due to the sensitive nature of the information they contained. Only the\nreports\xe2\x80\x99 Executive Summaries, which did not contain sensitive information, were posted on our\npublic Web site.\n\nConsistent with Government Auditing Standards, we provided notice to users of the reports\nthat the associated findings and conclusions may not be reliable. Further, we performed\nexpanded audit procedures during 2013 to assess the impact of the information on the earlier\nreports. Based on those procedures, we determined that the findings and conclusions related to\nIncident Response and Reporting and Risk Management in both reports were not reliable, but\nthat the reports\xe2\x80\x99 other findings and conclusions were reliable, and the associated\nrecommendations were valid. The results of our expanded audit procedures are described in\nour audit report, entitled Independent Evaluation of the FDIC\xe2\x80\x99s Information Security\nProgram\xe2\x80\x942013 (Report No. AUD-14-002, dated November 21, 2013).\n\nWe plan to link this memorandum to the Executive Summaries of the earlier audit reports\nposted on our public Web site to clarify the associated findings and conclusions.\n\nIf you have questions or concerns regarding this matter, please contact me at (703) 562-6339.\n\x0c                                    Executive Summary\n                                     Independent Evaluation of the FDIC\xe2\x80\x99s\n                                     Information Security Program\xe2\x80\x942011\n\n                                                                                    Report No. AUD-12-002\n                                                                                             October 2011\n\nWhy We Did The Audit\nThe Federal Information Security Management Act of 2002 (FISMA) requires federal agencies, including\nthe FDIC, to perform annual independent evaluations of their information security programs and practices\nand to report the evaluation results to the Office of Management and Budget (OMB). FISMA states that\nthe independent evaluations are to be performed by the agency Inspector General (IG), or an independent\nexternal auditor as determined by the IG. The objective of this performance audit was to evaluate the\neffectiveness of the FDIC\xe2\x80\x99s information security program and practices, including the FDIC\xe2\x80\x99s compliance\nwith FISMA and related information security policies, procedures, standards, and guidelines.\n\n\nBackground\nKey to achieving the FDIC\xe2\x80\x99s mission of maintaining stability and public confidence in the nation\xe2\x80\x99s\nfinancial system is safeguarding the sensitive information that the Corporation collects and manages.\nEnsuring the confidentiality, integrity, and availability of this information in an environment of\nincreasingly sophisticated security threats requires a strong, corporate-wide information security program.\n\nFISMA directs the National Institute of Standards and Technology (NIST) to develop risk-based\nstandards and guidelines to assist agencies in defining security requirements for their information\nsystems. In addition, OMB issues information security policies and guidelines, including annual\ninstructions to the heads of federal executive departments and agencies for meeting their reporting\nrequirements under FISMA. The Department of Homeland Security (DHS) exercises primary\nresponsibility within the Executive Branch for the operational aspects of federal agency cybersecurity\nwith respect to the federal information systems that fall within the scope of FISMA. DHS\xe2\x80\x99s\nresponsibilities include overseeing agency compliance with FISMA and developing analyses for OMB to\nassist in the development of OMB\xe2\x80\x99s annual FISMA report to the Congress. In this regard, DHS provided\nagency IGs with a set of security-related questions to address their FISMA reporting responsibilities in a\nJune 1, 2011 document entitled, FY 2011 Inspector General Federal Information Security Management\nAct Reporting.\n\nWe evaluated the effectiveness of the FDIC\xe2\x80\x99s information security program and practices by designing\naudit procedures to assess consistency between the FDIC\xe2\x80\x99s security controls and FISMA requirements,\nOMB policy and guidelines, and applicable NIST standards and guidelines in the areas covered by the\nDHS questions. In addition, we engaged KPMG LLP to provide audit assistance in certain security\ncontrol areas. We are required to be submit our responses to the DHS questions through OMB\xe2\x80\x99s FISMA\nreporting platform\xe2\x80\x94CyberScope\xe2\x80\x94by November 15, 2011.\n\n\nAudit Results\nWe concluded that, except as noted below, the FDIC had established and maintained information security\nprogram controls that were generally consistent with FISMA requirements, OMB policy and guidelines,\nand applicable NIST standards and guidelines for the security control areas that we evaluated. Of\nparticular note, the FDIC had established security policies and procedures in almost all of the security\ncontrol areas evaluated. In addition, the FDIC continued its prior-year efforts to implement current and\nemerging security standards and guidelines published by NIST, such as updating its security plan\ntemplate to reflect new NIST guidelines. The FDIC had also implemented various security control\n\x0c                                     Independent Evaluation of the FDIC\xe2\x80\x99s\n   Executive Summary                 Information Security Program\xe2\x80\x942011\n\n                                                                                     Report No. AUD-12-002\n                                                                                              October 2011\n\nimprovements following our prior-year security evaluation. Most notably, the FDIC made meaningful\nprogress in developing an agency-wide continuous monitoring program to evaluate the security of its\ninformation systems and hired additional information security managers to support and administer\nsecurity over its general support systems and major applications.\n\nNotwithstanding the above achievements, priority management attention continues to be warranted in\nsome security control areas, particularly continuous monitoring management. Specifically, significant\nwork remains before the FDIC\xe2\x80\x99s agency-wide continuous monitoring program is fully implemented. In\naddition, risk in the area of contractor systems remains elevated as a result of the FDIC\xe2\x80\x99s continued heavy\nreliance on contractors to support its bank resolution and receivership activities. While the FDIC has\ndeveloped a formal methodology for assessing risks associated with its contractor systems, work remains\nto fully apply this methodology to all of the FDIC\xe2\x80\x99s outsourced information service providers.\nMaintaining vigilance in these and other areas of the FDIC information security program will continue to\nbe important given other corporate priorities associated with the current banking environment.\n\n\nRecommendations and Management Comments\nThe report includes seven recommendations intended to improve the effectiveness of the FDIC\xe2\x80\x99s\ninformation security program controls in the areas of plans of action and milestones, remote access\nmanagement, identity and access management, and contractor systems. In many cases, the FDIC was\nalready working to strengthen security controls in these areas during our audit. Our report does not\ninclude recommendations in the area of continuous monitoring management as the FDIC was working to\nfully implement a multi-year effort to address a recommendation in our prior-year security evaluation\nreport required by FISMA.\n\nOn October 27, 2011, the FDIC\xe2\x80\x99s Chief Information Officer (CIO), who also serves as Director, Division\nof Information Technology, provided a written response to a draft of this report. In the response, the CIO\nconcurred with all seven of the report\xe2\x80\x99s recommendations and described planned corrective actions that\nwere responsive.\n\nThe report contains sensitive information concerning the FDIC\xe2\x80\x99s information security program.\nAccordingly, we do not intend to release the report publicly.\n\x0c'